Privacy policy

Who we are, and what this covers

Graaft builds AI people. This policy explains how we handle personal information on our website at graaft.ai. We are the responsible party under South Africa’s Protection of Personal Information Act (POPIA), and the entity accountable under Australia’s Privacy Act 1988 and the Australian Privacy Principles (APPs).

We operate from Perth, Australia and Johannesburg, South Africa, and we hold ourselves to both laws regardless of any size threshold that might otherwise apply.

This policy covers the graaft.ai marketing website only. Our AI products are separate services, with their own terms and privacy information. Personal information means information that identifies you, or that could reasonably identify you.

What we collect

We collect what you choose to give us. When you write to us or send an enquiry, we receive your name, your email address, and whatever you put in your message. When you subscribe to our newsletter, we receive your email address.

We also collect basic technical information automatically when you visit, through our hosting provider. This includes your IP address, your browser and device type, the pages you view, and the date and time. We use it to serve the site, keep it secure, and diagnose faults.

We use privacy-friendly, cookieless analytics to understand which pages are visited and how the site performs, always in aggregate. It does not use cookies, does not track you across other websites, and does not build a profile of you. We do not run advertising trackers, we do not set marketing cookies, and we do not sell or rent your personal information. We do not collect more than we need.

Why we collect it

We use your personal information to reply to you. To send the newsletter you asked for. To operate, secure, and improve the website. To meet legal obligations where they apply.

Under POPIA we rely on your consent and on our legitimate interests in running the studio. Under the APPs we use your information for the purpose you gave it to us, and for related purposes you would reasonably expect.

Giving us your information is voluntary. You can browse graaft.ai without telling us who you are. If you choose not to share contact details, we will not be able to reply or send you updates.

Cookies and embedded content

We do not use cookies to track you, and we do not profile your behaviour. Our fonts and assets are served from the site itself.

Some writing pages embed a podcast player from Spotify. If you play an episode, Spotify may set its own cookies and receive your IP address and device information, under the Spotify privacy policy. If you would rather avoid this, do not play the embedded player.

Our forms are protected from spam and abuse by Cloudflare Turnstile. When you interact with a form, Turnstile may receive your IP address and signals about your browser to tell humans from bots. It is not used to track you or to advertise, under the Cloudflare privacy policy.

Marketing and the newsletter

If you subscribe, we send you occasional updates from the studio. Nothing else.

We ask for your consent once. Every email we send carries a clear way to unsubscribe, and you can opt out at any time. If you have been in touch with us before, we may let you know about related work, and you can decline just as easily.

Who we share it with

We do not sell your personal information, and we do not share it for anyone else’s marketing.

We use a small set of service providers to run the website and reach you: website hosting and content delivery, privacy-friendly analytics, spam protection for our forms, email and productivity tools, and a newsletter delivery service. They act on our instructions, under contracts that require them to protect your information and to use it only to provide their service to us.

We may disclose information if the law requires it, or to establish or defend a legal claim.

Sending information overseas

Some of our service providers are located outside South Africa and Australia, including in the United States. This means your personal information may be processed in another country.

South Africa (POPIA section 72)

We transfer personal information abroad only where the recipient is bound by laws or contracts that give it protection substantially similar to POPIA, where you have consented, or where the transfer is necessary to provide what you asked for.

Australia (APP 8)

Before personal information is handled overseas, we take reasonable steps to ensure the recipient treats it consistently with the Australian Privacy Principles, and we remain accountable for it.

How long we keep it

We keep personal information only as long as we need it. Enquiries are kept while we deal with them and for a reasonable period afterwards, then deleted or anonymised. Newsletter records are kept until you unsubscribe. Technical logs are kept for a short period, usually ninety days.

We keep information for longer only where the law requires it. You can ask us to delete your information sooner, and we will, unless we are required to retain it.

How we protect it

We take appropriate technical and organisational measures to protect your personal information against loss, misuse, and unauthorised access. We choose reputable providers, limit who can reach your data, and review our safeguards. We keep what we hold small, which is itself a protection.

If something goes wrong

If a breach affects your personal information, we act quickly to contain it and to put things right. We will tell you and the relevant regulator when the law requires it.

South Africa (POPIA)

We notify the Information Regulator and the people affected as soon as reasonably possible after we become aware of a compromise.

Australia (Notifiable Data Breaches scheme)

Where a breach is likely to result in serious harm, we notify the Office of the Australian Information Commissioner and the people affected.

Your rights

You have rights over the personal information we hold about you. They differ slightly by country.

South Africa (POPIA)

You can ask for access to your information. You can ask us to correct or delete it. You can object to how we use it, and to direct marketing. You can ask not to be subject to a decision based only on automated processing. You can complain to the Information Regulator.

Australia (Privacy Act and the APPs)

You can ask for access to your information and ask us to correct it. You can opt out of direct marketing. You can deal with us anonymously or under a pseudonym where that is lawful and practical.

How to exercise them

Write to ask@graaft.ai. We may need to confirm your identity first. We respond as soon as we can, and aim to reply within thirty days. This is free, although POPIA allows a reasonable fee for some copies of records.

Automated decisions, children, and sensitive information

The graaft.ai website does not use your personal information to make automated decisions that have a significant effect on you. Our AI products are covered by their own terms and privacy information.

This website is not aimed at children, and we do not knowingly collect personal information from children through it. We also do not seek special or sensitive information through it, such as health, race, religion, or biometric data. If you believe a child has given us personal information, write to ask@graaft.ai and we will delete it.

Contact us, and how to complain

For any privacy question, or to exercise your rights, write to ask@graaft.ai. We are Graaft, based in Perth, Australia and Johannesburg, South Africa.

If you are not satisfied with our response, you can take it further with the regulator in your country.

South Africa: Information Regulator

Visit inforegulator.org.za, email POPIAComplaints@inforegulator.org.za, or call +27 (0)10 023 5200.

Australia: OAIC

Please raise it with us first. If it is still unresolved after thirty days, visit oaic.gov.au or call 1300 363 992.

We review this policy and update it as our practices change. This version is effective 2 June 2026.